Windows Defender Attack Surface Reduction (ASR) Rules module

I’m pleased to share with you a new #PowerShell module about Windows Defender Attack Surface Reduction (ASR) Rules 🚀

After seeing what Palantir did about their ASR telemetry and the content of the following repository, I thought that we need a more “PowerShell-friendly” way to view and set Windows Defender Attack Surface Reduction (ASR) rules.

It seems that I’m not the first person to have this idea and you can find an another implementation of this idea on the PowerShell gallery here.

If you don’t know anything about Windows Defender Attack Surface Reduction, I’d recommend that you watch this 6 minutes long video Susan Bradley made

My approach is slightly different than the 2 other PowerShell code implementations/repositories I mentioned above. I don’t provide any graphical interface (GUI), although you can for sure use the built-in Out-GridView cmdlet to send the output and inspect it in a GUI. I propose to have 3 functions that you can use to bind properly using the pipeline and made an effort to have all the parameters data being discoverable using the TAB key.

Let’s see some practical examples in a video:

I’d like to point out another useful resource to test the defense measures and configuration.

What else?
If you encounter an issue with this module, you’re welcome to open an issue in the github repo with this link.

Last but not least. Let’s say you’ve configured some ASR rules using GPO but not all of them. The Get-ASRRuleConfig function is able to display the effective rules that apply (GPO or local and if GPO, GPO wins over local). But the Set-ASRRuleConfig is only able to set the local rules. It cannot touch GPO rules. If you use it to set a rule that is already managed by GPO, it will work on the local value only. If you then use back Get-ASRRuleConfig, you get the results of what’s effective. Remember GPO wins.

How do I get started?

Find-Module -Name ASRRules -Repository PSGallery
Save-Module -Name ASRRules -Repository PSGallery -Path ~/Downloads

Import-Module ~/Downloads/ASRRules/1.0.0/ASRRules.psd1 -Force -Verbose

# if in PS 7.x and there's a complaint about the required module,
Import-Module -Name ConfigDefender -Force
Import-Module ~/Downloads/ASRRules/1.0.0/ASRRules.psd1 -Force -Verbose

Enjoy 😎

Quick post: Delete a WSUS update

  • Context

I started working on the KB4577586, the update responsible for the removal of Adobe Flash Player.

I’ve encountered two issues.

  • Issue

First issue, I imported the update for Windows 10 2OH2 x64 using the Id of Server 2019, D’oh!

Second issue, when I first imported my files and their Id, it failed with this message:
Exception calling “ImportUpdateFromCatalogSite” with “2” argument(s): “The underlying connection was closed: An unexpected error occurred on a send.”

Solution

Let’s start with the 2nd issue: the fact that I cannot import an update.
It appears that although I’ve set the correct Protocol to use

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

The ImportUpdateFromCatalogSite method is a .Net method and .NET requires to StrongCrypto value to be set in the registry.

My 2nd issue was solved by

$HT = @{
 Name = 'SchUseStrongCrypto'
 Value = '1'
 Type = 'DWord'
}
$null,'Wow6432Node' | 
Foreach-Object {
 Set-ItemProperty @HT -Path "HKLM:\SOFTWARE$($_)\Microsoft\.NetFramework\v4.0.30319" 
}
Restart-Computer

Let’s get back to my first issue. I got the correct file but not the Id.

# Identify the offending update (no Out-GridView available)
(Get-WsusServer).SearchUpdates('4577586') | Select Title
# Find its Id
(Get-WsusServer).SearchUpdates('4577586') | Select-Object -First 3 | 
Select -Last 1 -ExpandProperty Id
# Detete (no output if ok)
(Get-WsusServer).DeleteUpdate('20bd2d6b-26a9-4ddd-8a3f-04a79b683c1f')

I could reimport the same file using the correct Id, happy days 😎